mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
opensc: fix CVE-2024-45616
CVE-2024-45616: A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card. Reference: [https://nvd.nist.gov/vuln/detail/CVE-2024-45616] Upstream patches: [https://github.com/OpenSC/OpenSC/commit/1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1] [https://github.com/OpenSC/OpenSC/commit/265b28344d036a462f38002d957a0636fda57614] [https://github.com/OpenSC/OpenSC/commit/e7177c7ca00200afea820d155dca67f38b232967] [https://github.com/OpenSC/OpenSC/commit/ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60] [https://github.com/OpenSC/OpenSC/commit/76115e34799906a64202df952a8a9915d30bc89d] [https://github.com/OpenSC/OpenSC/commit/16ada9dc7cddf1cb99516aea67b6752c251c94a2] [https://github.com/OpenSC/OpenSC/commit/3562969c90a71b0bcce979f0e6d627546073a7fc] [https://github.com/OpenSC/OpenSC/commit/cccdfc46b10184d1eea62d07fe2b06240b7fafbc] [https://github.com/OpenSC/OpenSC/commit/5fa758767e517779fc5398b6b4faedc4e36d3de5] [https://github.com/OpenSC/OpenSC/commit/aa102cd9abe1b0eaf537d9dd926844a46060d8bc] Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
@@ -0,0 +1,52 @@
|
|||||||
|
From 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Thu, 11 Jul 2024 15:27:19 +0200
|
||||||
|
Subject: [PATCH] cardos: Fix uninitialized values
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_card/2
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-cardos.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
|
||||||
|
index 2e2d524333..a0e2322478 100644
|
||||||
|
--- a/src/libopensc/card-cardos.c
|
||||||
|
+++ b/src/libopensc/card-cardos.c
|
||||||
|
@@ -94,14 +94,14 @@ static void fixup_transceive_length(const struct sc_card *card,
|
||||||
|
|
||||||
|
static int cardos_match_card(sc_card_t *card)
|
||||||
|
{
|
||||||
|
- unsigned char atr[SC_MAX_ATR_SIZE];
|
||||||
|
+ unsigned char atr[SC_MAX_ATR_SIZE] = { 0 };
|
||||||
|
int i;
|
||||||
|
|
||||||
|
i = _sc_match_atr(card, cardos_atrs, &card->type);
|
||||||
|
if (i < 0)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
- memcpy(atr, card->atr.value, sizeof(atr));
|
||||||
|
+ memcpy(atr, card->atr.value, card->atr.len);
|
||||||
|
|
||||||
|
/* Do not change card type for CIE! */
|
||||||
|
if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)
|
||||||
|
@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *card)
|
||||||
|
return 1;
|
||||||
|
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
|
||||||
|
int rv;
|
||||||
|
- sc_apdu_t apdu;
|
||||||
|
- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
||||||
|
+ sc_apdu_t apdu = { 0 };
|
||||||
|
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
|
||||||
|
/* first check some additional ATR bytes */
|
||||||
|
if ((atr[4] != 0xff && atr[4] != 0x02) ||
|
||||||
|
(atr[6] != 0x10 && atr[6] != 0x0a) ||
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,48 @@
|
|||||||
|
From 265b28344d036a462f38002d957a0636fda57614 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Thu, 1 Aug 2024 10:32:40 +0200
|
||||||
|
Subject: [PATCH] card-cardos: Check length of APDU response
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/265b28344d036a462f38002d957a0636fda57614]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-cardos.c | 8 ++++----
|
||||||
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
|
||||||
|
index 124752d78b..595ec099e3 100644
|
||||||
|
--- a/src/libopensc/card-cardos.c
|
||||||
|
+++ b/src/libopensc/card-cardos.c
|
||||||
|
@@ -94,7 +94,7 @@ static void fixup_transceive_length(const struct sc_card *card,
|
||||||
|
|
||||||
|
static int cardos_match_card(sc_card_t *card)
|
||||||
|
{
|
||||||
|
- unsigned char atr[SC_MAX_ATR_SIZE] = { 0 };
|
||||||
|
+ unsigned char atr[SC_MAX_ATR_SIZE] = {0};
|
||||||
|
int i;
|
||||||
|
|
||||||
|
i = _sc_match_atr(card, cardos_atrs, &card->type);
|
||||||
|
@@ -114,8 +114,8 @@ static int cardos_match_card(sc_card_t *card)
|
||||||
|
return 1;
|
||||||
|
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
|
||||||
|
int rv;
|
||||||
|
- sc_apdu_t apdu = { 0 };
|
||||||
|
- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = { 0 };
|
||||||
|
+ sc_apdu_t apdu = {0};
|
||||||
|
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0};
|
||||||
|
/* first check some additional ATR bytes */
|
||||||
|
if ((atr[4] != 0xff && atr[4] != 0x02) ||
|
||||||
|
(atr[6] != 0x10 && atr[6] != 0x0a) ||
|
||||||
|
@@ -131,7 +131,7 @@ static int cardos_match_card(sc_card_t *card)
|
||||||
|
apdu.lc = 0;
|
||||||
|
rv = sc_transmit_apdu(card, &apdu);
|
||||||
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
|
||||||
|
- if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
|
||||||
|
+ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2)
|
||||||
|
return 0;
|
||||||
|
if (apdu.resp[0] != atr[10] ||
|
||||||
|
apdu.resp[1] != atr[11])
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,42 @@
|
|||||||
|
From e7177c7ca00200afea820d155dca67f38b232967 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 20 May 2024 22:14:48 +0200
|
||||||
|
Subject: [PATCH] cac: Correctly calculate certificate length based on the
|
||||||
|
resplen
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/e7177c7ca00200afea820d155dca67f38b232967]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-cac1.c | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-cac1.c b/src/libopensc/card-cac1.c
|
||||||
|
index 50c0928f5..bbdbc0a8d 100644
|
||||||
|
--- a/src/libopensc/card-cac1.c
|
||||||
|
+++ b/src/libopensc/card-cac1.c
|
||||||
|
@@ -95,12 +95,12 @@ static int cac_cac1_get_certificate(sc_card_t *card, u8 **out_buf, size_t *out_l
|
||||||
|
if (apdu.sw1 != 0x63 || apdu.sw2 < 1) {
|
||||||
|
/* we've either finished reading, or hit an error, break */
|
||||||
|
r = sc_check_sw(card, apdu.sw1, apdu.sw2);
|
||||||
|
- left -= len;
|
||||||
|
+ left -= apdu.resplen;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
/* Adjust the lengths */
|
||||||
|
- left -= len;
|
||||||
|
- out_ptr += len;
|
||||||
|
+ left -= apdu.resplen;
|
||||||
|
+ out_ptr += apdu.resplen;
|
||||||
|
len = MIN(left, apdu.sw2);
|
||||||
|
}
|
||||||
|
if (r < 0) {
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,43 @@
|
|||||||
|
From ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Thu, 18 Jul 2024 15:39:15 +0200
|
||||||
|
Subject: [PATCH] card-oberthur: Check length of serial number
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs11/1, fuzz_pkcs15init/2
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/ef7b10a18e6a4d4f03f0c47ea81aa8136f3eca60]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-oberthur.c | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
|
||||||
|
index 1fc40f7b3..bd45b6ff5 100644
|
||||||
|
--- a/src/libopensc/card-oberthur.c
|
||||||
|
+++ b/src/libopensc/card-oberthur.c
|
||||||
|
@@ -148,7 +148,7 @@ auth_select_aid(struct sc_card *card)
|
||||||
|
{
|
||||||
|
struct sc_apdu apdu;
|
||||||
|
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
|
||||||
|
- struct auth_private_data *data = (struct auth_private_data *) card->drv_data;
|
||||||
|
+ struct auth_private_data *data = (struct auth_private_data *)card->drv_data;
|
||||||
|
int rv, ii;
|
||||||
|
struct sc_path tmp_path;
|
||||||
|
|
||||||
|
@@ -165,6 +165,9 @@ auth_select_aid(struct sc_card *card)
|
||||||
|
|
||||||
|
rv = sc_transmit_apdu(card, &apdu);
|
||||||
|
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
|
||||||
|
+ if (apdu.resplen < 20) {
|
||||||
|
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length");
|
||||||
|
+ }
|
||||||
|
card->serialnr.len = 4;
|
||||||
|
memcpy(card->serialnr.value, apdu.resp+15, 4);
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
From 76115e34799906a64202df952a8a9915d30bc89d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
Date: Mon, 20 May 2024 21:19:15 +0200
|
||||||
|
Subject: [PATCH] gids: Avoid using uninitialized memory
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h5f7-rjr5-vx54
|
||||||
|
|
||||||
|
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/76115e34799906a64202df952a8a9915d30bc89d]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-gids.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
|
||||||
|
index f25e37de4..10960875d 100644
|
||||||
|
--- a/src/libopensc/card-gids.c
|
||||||
|
+++ b/src/libopensc/card-gids.c
|
||||||
|
@@ -251,7 +251,7 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
|
||||||
|
LOG_TEST_RET(card->ctx, r, "gids get data failed");
|
||||||
|
LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
|
||||||
|
|
||||||
|
- p = sc_asn1_find_tag(card->ctx, buffer, sizeof(buffer), dataObjectIdentifier, &datasize);
|
||||||
|
+ p = sc_asn1_find_tag(card->ctx, buffer, apdu.resplen, dataObjectIdentifier, &datasize);
|
||||||
|
if (!p) {
|
||||||
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,50 @@
|
|||||||
|
From 16ada9dc7cddf1cb99516aea67b6752c251c94a2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 15:04:19 +0200
|
||||||
|
Subject: [PATCH] card-gids: Use actual length of reponse buffer
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs11/11
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/16ada9dc7cddf1cb99516aea67b6752c251c94a2]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-gids.c | 6 ++++--
|
||||||
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-gids.c b/src/libopensc/card-gids.c
|
||||||
|
index f25e37de4..91e1e0569 100644
|
||||||
|
--- a/src/libopensc/card-gids.c
|
||||||
|
+++ b/src/libopensc/card-gids.c
|
||||||
|
@@ -231,6 +231,7 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
|
||||||
|
size_t datasize = 0;
|
||||||
|
const u8* p;
|
||||||
|
u8 buffer[MAX_GIDS_FILE_SIZE];
|
||||||
|
+ size_t buffer_len = sizeof(buffer);
|
||||||
|
|
||||||
|
SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_VERBOSE);
|
||||||
|
sc_log(card->ctx,
|
||||||
|
@@ -244,14 +245,15 @@ static int gids_get_DO(sc_card_t* card, int fileIdentifier, int dataObjectIdenti
|
||||||
|
apdu.data = data;
|
||||||
|
apdu.datalen = 04;
|
||||||
|
apdu.resp = buffer;
|
||||||
|
- apdu.resplen = sizeof(buffer);
|
||||||
|
+ apdu.resplen = buffer_len;
|
||||||
|
apdu.le = 256;
|
||||||
|
|
||||||
|
r = sc_transmit_apdu(card, &apdu);
|
||||||
|
LOG_TEST_RET(card->ctx, r, "gids get data failed");
|
||||||
|
LOG_TEST_RET(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2), "invalid return");
|
||||||
|
+ buffer_len = apdu.resplen;
|
||||||
|
|
||||||
|
- p = sc_asn1_find_tag(card->ctx, buffer, apdu.resplen, dataObjectIdentifier, &datasize);
|
||||||
|
+ p = sc_asn1_find_tag(card->ctx, buffer, buffer_len, dataObjectIdentifier, &datasize);
|
||||||
|
if (!p) {
|
||||||
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_FILE_NOT_FOUND);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,56 @@
|
|||||||
|
From 3562969c90a71b0bcce979f0e6d627546073a7fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 14:16:24 +0200
|
||||||
|
Subject: [PATCH] card-mcrd: Check length of response buffer in select
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs11/5,12 fuzz_pkcs15_crypt/9
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/3562969c90a71b0bcce979f0e6d627546073a7fc]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-mcrd.c | 11 +++++++----
|
||||||
|
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-mcrd.c b/src/libopensc/card-mcrd.c
|
||||||
|
index fb5d02f89..30812e8a6 100644
|
||||||
|
--- a/src/libopensc/card-mcrd.c
|
||||||
|
+++ b/src/libopensc/card-mcrd.c
|
||||||
|
@@ -634,11 +634,13 @@ do_select(sc_card_t * card, u8 kind,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (p2 == 0x04 && apdu.resp[0] == 0x62) {
|
||||||
|
+ if (p2 == 0x04 && apdu.resplen > 2 && apdu.resp[0] == 0x62) {
|
||||||
|
*file = sc_file_new();
|
||||||
|
if (!*file)
|
||||||
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
|
||||||
|
/* EstEID v3.0 cards are buggy and sometimes return a double 0x62 tag */
|
||||||
|
+ if (apdu.resp[1] > apdu.resplen - 2)
|
||||||
|
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
|
||||||
|
if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30 && apdu.resp[2] == 0x62)
|
||||||
|
process_fcp(card, *file, apdu.resp + 4, apdu.resp[3]);
|
||||||
|
else
|
||||||
|
@@ -646,12 +648,13 @@ do_select(sc_card_t * card, u8 kind,
|
||||||
|
return SC_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (p2 != 0x0C && apdu.resp[0] == 0x6F) {
|
||||||
|
+ if (p2 != 0x0C && apdu.resplen > 2 && apdu.resp[0] == 0x6F) {
|
||||||
|
*file = sc_file_new();
|
||||||
|
if (!*file)
|
||||||
|
LOG_FUNC_RETURN(card->ctx, SC_ERROR_OUT_OF_MEMORY);
|
||||||
|
- if (apdu.resp[1] <= apdu.resplen)
|
||||||
|
- process_fcp(card, *file, apdu.resp + 2, apdu.resp[1]);
|
||||||
|
+ if (apdu.resp[1] > apdu.resplen - 2)
|
||||||
|
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
|
||||||
|
+ process_fcp(card, *file, apdu.resp + 2, apdu.resp[1]);
|
||||||
|
return SC_SUCCESS;
|
||||||
|
}
|
||||||
|
return SC_SUCCESS;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,74 @@
|
|||||||
|
From cccdfc46b10184d1eea62d07fe2b06240b7fafbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 13:16:56 +0200
|
||||||
|
Subject: [PATCH] card-dnie: Check APDU response length and ASN1 lengths
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs15_decode/10, fuzz_pkcs15_encode/12
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/cccdfc46b10184d1eea62d07fe2b06240b7fafbc]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/asn1.c | 4 +++-
|
||||||
|
src/libopensc/card-dnie.c | 8 ++++++--
|
||||||
|
2 files changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/asn1.c b/src/libopensc/asn1.c
|
||||||
|
index 08ef56149c..548263a2da 100644
|
||||||
|
--- a/src/libopensc/asn1.c
|
||||||
|
+++ b/src/libopensc/asn1.c
|
||||||
|
@@ -68,7 +68,7 @@ int sc_asn1_read_tag(const u8 ** buf, size_t buflen, unsigned int *cla_out,
|
||||||
|
|
||||||
|
*buf = NULL;
|
||||||
|
|
||||||
|
- if (left == 0 || !p)
|
||||||
|
+ if (left == 0 || !p || buflen == 0)
|
||||||
|
return SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
if (*p == 0xff || *p == 0) {
|
||||||
|
/* end of data reached */
|
||||||
|
@@ -83,6 +83,8 @@ int sc_asn1_read_tag(const u8 ** buf, size_t buflen, unsigned int *cla_out,
|
||||||
|
*/
|
||||||
|
cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED);
|
||||||
|
tag = *p & SC_ASN1_TAG_PRIMITIVE;
|
||||||
|
+ if (left < 1)
|
||||||
|
+ return SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
p++;
|
||||||
|
left--;
|
||||||
|
if (tag == SC_ASN1_TAG_PRIMITIVE) {
|
||||||
|
diff --git a/src/libopensc/card-dnie.c b/src/libopensc/card-dnie.c
|
||||||
|
index 2c36ddf5c..25c15b2b7 100644
|
||||||
|
--- a/src/libopensc/card-dnie.c
|
||||||
|
+++ b/src/libopensc/card-dnie.c
|
||||||
|
@@ -1185,12 +1185,16 @@ static int dnie_compose_and_send_apdu(sc_card_t *card, const u8 *path, size_t pa
|
||||||
|
|
||||||
|
if (file_out) {
|
||||||
|
/* finally process FCI response */
|
||||||
|
+ size_t len = apdu.resp[1];
|
||||||
|
sc_file_free(*file_out);
|
||||||
|
*file_out = sc_file_new();
|
||||||
|
if (*file_out == NULL) {
|
||||||
|
LOG_FUNC_RETURN(ctx, SC_ERROR_OUT_OF_MEMORY);
|
||||||
|
}
|
||||||
|
- res = card->ops->process_fci(card, *file_out, apdu.resp + 2, apdu.resp[1]);
|
||||||
|
+ if (apdu.resplen - 2 < len || len < 1) {
|
||||||
|
+ LOG_FUNC_RETURN(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED);
|
||||||
|
+ }
|
||||||
|
+ res = card->ops->process_fci(card, *file_out, apdu.resp + 2, len);
|
||||||
|
}
|
||||||
|
LOG_FUNC_RETURN(ctx, res);
|
||||||
|
}
|
||||||
|
@@ -1948,7 +1952,7 @@ static int dnie_process_fci(struct sc_card *card,
|
||||||
|
int *op = df_acl;
|
||||||
|
int n = 0;
|
||||||
|
sc_context_t *ctx = NULL;
|
||||||
|
- if ((card == NULL) || (card->ctx == NULL) || (file == NULL))
|
||||||
|
+ if ((card == NULL) || (card->ctx == NULL) || (file == NULL) || buflen == 0)
|
||||||
|
return SC_ERROR_INVALID_ARGUMENTS;
|
||||||
|
ctx = card->ctx;
|
||||||
|
LOG_FUNC_CALLED(ctx);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,68 @@
|
|||||||
|
From 5fa758767e517779fc5398b6b4faedc4e36d3de5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Fri, 12 Jul 2024 14:03:59 +0200
|
||||||
|
Subject: [PATCH] muscle: Report invalid SW when reading object
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs11/20, fuzz_pkcs15init/10
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/5fa758767e517779fc5398b6b4faedc4e36d3de5]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/muscle.c | 19 ++++++++++---------
|
||||||
|
1 file changed, 10 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/muscle.c b/src/libopensc/muscle.c
|
||||||
|
index a749657df..b30173ec6 100644
|
||||||
|
--- a/src/libopensc/muscle.c
|
||||||
|
+++ b/src/libopensc/muscle.c
|
||||||
|
@@ -92,33 +92,34 @@ int msc_partial_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *da
|
||||||
|
apdu.resp = data;
|
||||||
|
r = sc_transmit_apdu(card, &apdu);
|
||||||
|
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
|
||||||
|
- if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
|
||||||
|
+ if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00 && dataLength <= apdu.resplen)
|
||||||
|
return dataLength;
|
||||||
|
- if(apdu.sw1 == 0x9C) {
|
||||||
|
- if(apdu.sw2 == 0x07) {
|
||||||
|
+ if (apdu.sw1 == 0x9C) {
|
||||||
|
+ if (apdu.sw2 == 0x07) {
|
||||||
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_FILE_NOT_FOUND);
|
||||||
|
- } else if(apdu.sw2 == 0x06) {
|
||||||
|
+ } else if (apdu.sw2 == 0x06) {
|
||||||
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_NOT_ALLOWED);
|
||||||
|
- } else if(apdu.sw2 == 0x0F) {
|
||||||
|
+ } else if (apdu.sw2 == 0x0F) {
|
||||||
|
/* GUESSED */
|
||||||
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
sc_log(card->ctx,
|
||||||
|
"got strange SWs: 0x%02X 0x%02X\n", apdu.sw1, apdu.sw2);
|
||||||
|
- return dataLength;
|
||||||
|
-
|
||||||
|
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);
|
||||||
|
}
|
||||||
|
|
||||||
|
int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength)
|
||||||
|
{
|
||||||
|
- int r;
|
||||||
|
+ int r = 0;
|
||||||
|
size_t i;
|
||||||
|
size_t max_read_unit = MSC_MAX_READ;
|
||||||
|
|
||||||
|
- for(i = 0; i < dataLength; i += max_read_unit) {
|
||||||
|
+ for(i = 0; i < dataLength; i += r) {
|
||||||
|
r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit));
|
||||||
|
LOG_TEST_RET(card->ctx, r, "Error in partial object read");
|
||||||
|
+ if (r == 0)
|
||||||
|
+ break;
|
||||||
|
}
|
||||||
|
return dataLength;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -0,0 +1,33 @@
|
|||||||
|
From aa102cd9abe1b0eaf537d9dd926844a46060d8bc Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
|
||||||
|
Date: Tue, 23 Jul 2024 10:48:32 +0200
|
||||||
|
Subject: [PATCH] card-entersafe: Check length of serial number
|
||||||
|
|
||||||
|
Thanks Matteo Marini for report
|
||||||
|
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
|
||||||
|
|
||||||
|
fuzz_pkcs15_reader/5
|
||||||
|
|
||||||
|
CVE: CVE-2024-45616
|
||||||
|
Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/aa102cd9abe1b0eaf537d9dd926844a46060d8bc]
|
||||||
|
|
||||||
|
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||||
|
---
|
||||||
|
src/libopensc/card-entersafe.c | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/libopensc/card-entersafe.c b/src/libopensc/card-entersafe.c
|
||||||
|
index 6372913d0..305323fd5 100644
|
||||||
|
--- a/src/libopensc/card-entersafe.c
|
||||||
|
+++ b/src/libopensc/card-entersafe.c
|
||||||
|
@@ -1468,6 +1468,8 @@ static int entersafe_get_serialnr(sc_card_t *card, sc_serial_number_t *serial)
|
||||||
|
r=entersafe_transmit_apdu(card, &apdu,0,0,0,0);
|
||||||
|
LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
|
||||||
|
LOG_TEST_RET(card->ctx, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed");
|
||||||
|
+ if (apdu.resplen != 8)
|
||||||
|
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN");
|
||||||
|
|
||||||
|
card->serialnr.len=serial->len=8;
|
||||||
|
memcpy(card->serialnr.value,rbuf,8);
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
@@ -31,6 +31,16 @@ SRC_URI = "git://github.com/OpenSC/OpenSC;branch=master;protocol=https \
|
|||||||
file://CVE-2024-45615-0003.patch \
|
file://CVE-2024-45615-0003.patch \
|
||||||
file://CVE-2024-45615-0004.patch \
|
file://CVE-2024-45615-0004.patch \
|
||||||
file://CVE-2024-45615-0005.patch \
|
file://CVE-2024-45615-0005.patch \
|
||||||
|
file://CVE-2024-45616-0001.patch \
|
||||||
|
file://CVE-2024-45616-0002.patch \
|
||||||
|
file://CVE-2024-45616-0003.patch \
|
||||||
|
file://CVE-2024-45616-0004.patch \
|
||||||
|
file://CVE-2024-45616-0005.patch \
|
||||||
|
file://CVE-2024-45616-0006.patch \
|
||||||
|
file://CVE-2024-45616-0007.patch \
|
||||||
|
file://CVE-2024-45616-0008.patch \
|
||||||
|
file://CVE-2024-45616-0009.patch \
|
||||||
|
file://CVE-2024-45616-0010.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
# CVE-2021-34193 is a duplicate CVE covering the 5 individual
|
# CVE-2021-34193 is a duplicate CVE covering the 5 individual
|
||||||
|
|||||||
Reference in New Issue
Block a user